Microsoft has armor-plated Windows 8.1 against the most feared attack on the planet. Here are the nitty-gritty details you need to know

InfoWorld|Oct 1, 2013

Pass-the-hash (PtH) attacks are among the most feared cyber attacks in the computer world. Many of my largest customers (Fortune 500, government, and so on) have told me it's their No. 1 worry above all other attack types.

With PtH and other credential theft attacks, a hacker gains admin control over a computer, steals authentication credentials from disk or memory, and uses those credentials to initiate new connections and logons. Most operating systems are vulnerable to PtH attacks, although Microsoft Windows has certainly been the primary target thanks to its pervasiveness in the corporate environment and the availability of PtH tools.

Attackers using PtH attacks completely compromise just about every network they hit. Pretty much every APT (advanced persistent threat) attack team uses them. Every penetration test team uses them. And the tools to accomplish PtH attacks have only gotten better. That's why the anti-PtH measures built into Windows 8.1 are such a big deal.

Hands off the hashBefore Windows 8.1, the only real mitigations against PtH attacks were:

Don't let hackers get admin control of your box

Don't log on with elevated accounts, especially on computers not directly under your control

Restrict the ability of local accounts to be used over the network

Restrict what computers can connect to (using firewalls, IPSec, and so on)

Force a reboot after logging on with an elevated account

Unfortunately, most of these recommendations were difficult for most enterprises to implement without a lot of new policies, procedures, and elbow grease. On the software side, it's very difficult for any OS, including Windows, to stop PtH attacks while maintaining the SSO (single-sign-on) functionality customers absolutely require. Asking users to re-enter their logons every time they want to connect to new application, service, or drive share is the quickest way to make your OS obsolete.

To the pleasant surprise of a lot of people, Windows 8.1 includes comprehensive pass-the-hash mitigations. While it doesn't completely eliminate the threat, it comes pretty darn close. Here's a summary of the PtH mitigations available in Windows 8.1: